NexShield

NexShield is a malicious Chrome/Edge browser extension used in a KongTuke-attributed campaign (observed by Huntress in Jan 2026) that impersonates the legitimate uBlock Origin Lite ad blocker (near-clone of Raymond Hill’s uBOL codebase) and is distributed via malvertising that leads victims to an official Chrome Web Store listing (extension ID: cpcdkmjddocikjdkbbeiaafnpdbdafmi; developer email: alaynna6899@gmail.com). After installation, it delays execution (Chrome Alarms API; ~60-minute initial delay, then recurring) and performs telemetry/C2 beacons (UUID-based install/update/uninstall tracking) to attacker infrastructure including a typosquatted domain nexsnield[.]com.

Its core malicious behavior is an intentional self-DoS of the browser by creating massive numbers of chrome.runtime port connections in a tight loop, causing severe slowdown/unresponsiveness and crashes. This forced-crash behavior is used to enable a ClickFix-style social-engineering flow dubbed “CrashFix”: after restart, the extension displays a fake “browser stopped abnormally”/“Security Warning” prompt that instructs the user to open Windows Run (Win+R) and paste/execute clipboard contents, while NexShield silently places a malicious PowerShell command onto the clipboard. The CrashFix UI includes anti-analysis/anti-inspection measures (blocking DevTools shortcuts such as F12/Ctrl+Shift+I/J/C, disabling right-click, and preventing text selection/dragging).

Downstream execution (triggered by the user pasting/running the clipboard command) abuses the Windows LOLBin finger.exe by copying it from System32 to %TEMP% and renaming it to ct.exe, then using it to retrieve commands from 199.217.98[.]108 and pipe responses for execution (including PowerShell stages). Later stages include extensive anti-analysis and victim profiling (scanning for 50+ analysis/security tools and VM artifacts; checking domain-joined vs WORKGROUP) and selective payloading. Domain-joined hosts are reported to receive a “VIP” payload delivered via Dropbox: a portable Python environment (WinPython) that runs a Python RAT named ModeloRAT (previously undocumented in the report), which uses RC4-encrypted C2, persists via HKCU\Software\Microsoft\Windows\CurrentVersion\Run (value name “MonitoringService”), and beacons over HTTP/80 to 170.168.103[.]208 and 158.247.252[.]178. Non-domain hosts are described as following a different, more obfuscated chain (including DGA-driven behavior, AMSI bypasses, and a .NET “GateKeeper” loader), and in at least one analyzed branch the actor returned a decoy response (“TEST PAYLOAD!!!!”), consistent with staged rollout or sandbox evasion.

Notable IOCs explicitly mentioned include: Chrome Web Store path /detail/nexshield–advanced-web/cpcdkmjddocikjdkbbeiaafnpdbdafmi; extension ID cpcdkmjddocikjdkbbeiaafnpdbdafmi; developer email alaynna6899@gmail.com; domain nexsnield[.]com; IP 199.217.98[.]108 (including POST to /n with markers ABCD111/BCDA222); Dropbox delivery URL https://www.dropbox.com/scl/fi/6gscgf35byvflw4y6x4i0/b1.zip?rlkey=bk2hvxvw53ggzhbjiftppej50&st=yyxnfu71&dl=1; ModeloRAT C2 IPs 170.168.103[.]208 and 158.247.252[.]178.